1. Block a Specific IP
To block traffic from 192.168.1.100:
access-list 100 deny ip host 192.168.1.100 any access-list 100 permit ip any any
Apply to an interface:
interface GigabitEthernet0/0 ip access-group 100 in
2. Block a Port (e.g., HTTP 80)
To block port 80 for all hosts:
access-list 110 deny tcp any any eq 80 access-list 110 permit ip any any
Apply with:
interface GigabitEthernet0/1 ip access-group 110 out
3. Allow SSH (Port 22) Only from a Trusted IP
Block SSH for all except 10.0.0.5:
access-list 120 permit tcp host 10.0.0.5 any eq 22 access-list 120 deny tcp any any eq 22 access-list 120 permit ip any any
Apply inbound on the SSH interface.
4. Block YouTube (Using DNS & IP Ranges)
Method 1: Block YouTube DNS
access-list 130 deny udp any any eq 53 access-list 130 permit ip any any
(Not foolproof, as users can use IPs directly.)
Method 2: Block Known YouTube IP Ranges
access-list 140 deny tcp any 172.217.0.0 0.0.255.255 access-list 140 deny udp any 172.217.0.0 0.0.255.255 access-list 140 permit ip any any
Final Notes
- Standard ACLs (1-99) filter based on source IP.
- Extended ACLs (100-199) filter IP, port, protocol.
- Always add a
permit anyat the end (ACLs have an implicit deny all). - Use show access-list to verify rules.
Apply ACLs inbound (in) or outbound (out) as needed.
1. Block a Specific IP
To block traffic from 192.168.1.100:
access-list 100 deny ip host 192.168.1.100 any access-list 100 permit ip any any
Apply to an interface:
interface GigabitEthernet0/0 ip access-group 100 in
2. Block a Port (e.g., HTTP 80)
To block port 80 for all hosts:
access-list 110 deny tcp any any eq 80 access-list 110 permit ip any any
Apply with:
interface GigabitEthernet0/1 ip access-group 110 out
3. Allow SSH (Port 22) Only from a Trusted IP
Block SSH for all except 10.0.0.5:
access-list 120 permit tcp host 10.0.0.5 any eq 22 access-list 120 deny tcp any any eq 22 access-list 120 permit ip any any
Apply inbound on the SSH interface.
4. Block YouTube (Using DNS & IP Ranges)
Method 1: Block YouTube DNS
access-list 130 deny udp any any eq 53 access-list 130 permit ip any any
(Not foolproof, as users can use IPs directly.)
Method 2: Block Known YouTube IP Ranges
access-list 140 deny tcp any 172.217.0.0 0.0.255.255 access-list 140 deny udp any 172.217.0.0 0.0.255.255 access-list 140 permit ip any any
Final Notes
- Standard ACLs (1-99) filter based on source IP.
- Extended ACLs (100-199) filter IP, port, protocol.
- Always add a
permit anyat the end (ACLs have an implicit deny all). - Use show access-list to verify rules.
Apply ACLs inbound (in) or outbound (out) as needed.
